Suppose I want to run some program which requests too many permissions. For example, record from the microphone or read IMEI of my phone. However, there are no practical explanation why recording from the mic or IMEI number is needed for this particular application, except for data mining.

I want to try this app, but restrict its permissions. For example, if it reads IMEI, it should get random IMEI(but the same every time). If it tries to read the mic, it should get silence.

I have been asking this question on stackexchange, but was directed here as this site has a wider android audience.
–
Denis NikolaenkoDec 1 '10 at 23:23

5

I have never seen anything like this but I don't see why it couldn't be done. Its a good idea.
–
MattDec 2 '10 at 1:56

1

Could you use the emulator in the developer SDK to accomplish a lot of this?
–
Al E.Dec 2 '10 at 15:09

1

Basically, yes. Using emulator as a sandbox is possible. But what if I want to run an app on the physical phone, but keep my privacy?
–
Denis NikolaenkoDec 2 '10 at 15:35

I know this question is old, but can you elaborate what context make you you want to test some malicious app on your own personal physical device and answer bogus personal data ? To me, current cyanogenmod solution (reject calls, do not produce fake data) seems enough.
–
Stéphane GourichonAug 21 '14 at 18:29

Whisper Systems has come out with a custom ROM that has this exact feature: http://www.whispersys.com/permissions.html. As DarthNoodles mentions, it has to be done at the system level rather than the app level, which is how it is implemented in WhisperCore. The current version isn't able to block all of the permissions available on Android, but they are working on supporting more of them.

CyanogenMod 7.1 has exactly this feature, but without faking data, only failing, if the app accesses the API. Proposition for faking the IMEI was rejected. Faking other data, like contacts, is currently under discussion.

Steve Kondik explains why it was rejected in this post: plus.google.com/+SteveKondik/posts/iLrvqH8tbce Extract: "I rejected these patches since they create a hostile environment for applications, and that's not the direction I want to see CM go. (...) developers who don't want their apps running in unpredictable environments. (...) I think these patches are just more security theater and don't really solve a problem. Why do you want to run malicious applications anyway?"
–
Stéphane GourichonAug 21 '14 at 18:25

Not an absolute solution to your problem, but there is an app in the android market which caters to your needs. It also necessarily requires better knowledge about permissions and also a rooted device.

Permissions Denied is an app which allows you to effectively control the permissions that apps which are installed onto your phone, via the market or some other source. Also be aware that denying an app a permission that it is requesting may result in the app Force Closing. (hence requiring you to have better knowledge on how to use it)

Note : This app Requires Root Access. This app will not work on all device.

It's a logical solution for a potential problem and a long time irritation of mine.

However, you must remember that whatever solutions are available for a security application would also be available for a malware app. If a security app could block net access then a malware app could block it also, stopping a security app from updating data files for instance.

Such tools would require root access to the phone, if you grant it, should have an ultimate trust in the tool, like "Permissions Denied". If you grant root access to a random application from the market, you just shot yourself in the foot :)
–
Denis NikolaenkoAug 3 '11 at 3:16

There is an ongoing research on this this subject. A non yet released proof of concept is implemented for some of the privacy sensitive APIs exactly as I proposed. The privacy manager is called TISSA, short for Taming Information-Stealing Smartphone Applications.

There is an App Shield application. It essentially repackages .apk with permissions removed from manifest. Brilliant idea for stock, non rooted phones. Subject to crashes (force closes), though, as with current CyanogenMod approach.

This sounds great, but the link is dead and searches on Google Play find nothing. Is App Shield still available, and if not, is there a reason why that we should know about?
–
user568458Jun 2 '12 at 14:20

There is a Privacy Blocker (paid) and Privacy Inspector (free) applications. Privacy Blocker does a static analysis of applications for sensitive API calls and rewrites these calls into stub ones which return fake data. As a result a new .apk with rewritten application is generated and installed. Privacy Inspector is an app which only reports the use of sensitive API calls.

I'm fairly certain that tool that you seek doesn't exist yet. But your idea is great. Few point though;

ofc; app can freely read and write it's own app directory

giving fake read acces : for every possible read (and there's a lot app can try to read) default response should be generate; lot a work but doable

however; giving fake write access is lot harder; what if it uses sd card to store big temp files; like bitmaps. On unrooted phone; only place app can write is sd card; and using content provider (for stuff like contacts, and calendar). And app desiger isn't expecting to fail in writing data; so app could crash.

Good thing is that the worst that could happen is that app might crash.